{ pkgs, lib, config, ... }: let domain = "scana11y.com"; dataDir = "/var/www/${domain}"; user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; in { services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; acmeRoot = "/var/lib/acme/acme-challenge"; root = "${dataDir}/public"; locations."/favicon.ico".extraConfig = '' log_not_found off; access_log off; ''; locations."/".extraConfig = '' index index.html; try_files $uri $uri/ /index.html$is_args$args; ''; locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' expires 365d; add_header Pragma "public"; add_header Cache-Control "public"; ''; locations."~ [^/]\\.php(/|$)".extraConfig = '' fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; fastcgi_buffer_size 32k; fastcgi_buffers 8 16k; fastcgi_connect_timeout 240s; fastcgi_read_timeout 240s; fastcgi_send_timeout 240s; fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; fastcgi_index index.php; ''; }; systemd.services."phpfpm-${domain}" = { serviceConfig = { ProtectHome = lib.mkForce "tmpfs"; BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; }; }; services.phpfpm.pools."${domain}" = { user = user; settings = { "listen.owner" = config.services.nginx.user; "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 5; "php_admin_value[error_log]" = "syslog"; "php_admin_value[max_execution_time]" = 240; "php_admin_value[max_input_vars]" = 1500; "access.log" = "/var/log/$pool.access.log"; }; phpPackage = pkgs.php84; phpEnv."PATH" = pkgs.lib.makeBinPath [ pkgs.php84 ]; }; users.users."${user}" = { isNormalUser = true; createHome = true; home = dataDir; homeMode= "770"; group = "nginx"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID20OFQ9ZbRC2GFH5cii7mAhyD28GBwqM+1+2b36HI4k" ]; }; users.groups.${user} = {}; }